Rebase and add intl interface to exceptions

Signed-off-by: Egor Savkin <es@m-labs.hk>

nixbld-etc-nixos/configuration.nix

@@ -6,6 +6,7 @@ let
   netifLan = "enp5s0f1";
   netifWifi = "wlp6s0";
   netifSit = "henet0";
+  netifUSA = "trump0";
   netifAlt = "alt0";
   netifAltVlan = "vlan0";
   hydraWwwOutputs = "/var/www/hydra-outputs";
@@ -91,7 +92,7 @@ in
     firewall = {
       allowedTCPPorts = [ 53 80 443 2222 7402 ];
       allowedUDPPorts = [ 53 67 500 4500 ];
-      trustedInterfaces = [ netifLan ];
+      trustedInterfaces = [ netifLan netifUSA ];
       logRefusedConnections = false;
     };
     useDHCP = false;
@@ -205,6 +206,13 @@ in
       addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
       routes = [{ address = "::"; prefixLength = 0; }];
     };
+    greTunnels."${netifUSA}" = {
+      dev = netifWan;
+      remote = "5.78.86.156";
+      local = "94.190.212.123";
+      ttl = 255;
+      type = "tun";
+    };
     greTunnels."${netifAlt}" = {
       dev = netifWan;
       remote = "103.206.98.1";
@@ -212,6 +220,22 @@ in
       ttl = 255;
       type = "tun";
     };
+    interfaces."${netifUSA}" = {
+      ipv4.addresses = [
+        {
+          address = "10.47.3.1";
+          prefixLength = 31;
+        }
+      ];
+      ipv4.routes = [
+        {
+          address = "0.0.0.0";
+          prefixLength = 0;
+          via = "10.47.3.0";
+          options.table = "3";
+        }
+      ];
+    };
     interfaces."${netifAlt}" = {
       ipv4.addresses = [
         {
@@ -275,10 +299,26 @@ in
       start_action = "start";
     };
   };
-  # prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
+  services.strongswan-swanctl.swanctl.connections.usa = {
-  systemd.services.strongswan-swanctl = {
+    local_addrs = [ "94.190.212.123" ];
-    after = [ "network-addresses-${netifAlt}.service" ];
+    remote_addrs = [ "5.78.86.156" ];
-    requires = [ "network-addresses-${netifAlt}.service" ];
+    local.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs.hk";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs.hk" ];
+    };
+    remote.main = {
+      auth = "pubkey";
+      id = "fqdn:m-labs-intl.com";
+      pubkeys = [ "/etc/swanctl/pubkey/m-labs-intl.com" ];
+    };
+    children."${netifUSA}" = {
+      mode = "transport";
+      ah_proposals = [ "sha256-curve25519" ];
+      remote_ts = [ "5.78.86.156[gre]" ];
+      local_ts = [ "94.190.212.123[gre]" ];
+      start_action = "start";
+    };
   };
 
   systemd.services.network-custom-route-backup = {
@@ -290,6 +330,15 @@ in
       ExecStop = "${pkgs.iproute2}/bin/ip rule del table 2";
     };
   };
+  systemd.services.network-custom-route-usa = {
+    wantedBy = [ "network.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStart = "${pkgs.iproute2}/bin/ip rule add from 10.47.3.0/31 table 3";
+      ExecStop = "${pkgs.iproute2}/bin/ip rule del table 3";
+    };
+  };
   systemd.services.network-custom-route-alt = {
     wantedBy = [ "network.target" ];
     serviceConfig = {
@@ -660,13 +709,6 @@ in
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMUaB2G1jexxfkdlly3fdWslH54/s/bOuvk9AxqpjtAY robert-jordens-ed25519"
     ];
   };
-  users.extraUsers.nkrackow = {
-    isNormalUser = true;
-    extraGroups = ["afws"];
-    openssh.authorizedKeys.keys = [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBNsAtZdp0BMvw0rRpMDgJ0V9hqB/BVSyhZ3m8LEx0im939ya6Urmlz3x7+RilD1LMl/p4B1Yxt+z/w7J5NB7unTYlKigJr/s9aH/0IKCFRvO5Omw88k3tWCCRA9KbbXAh0OE/Kli09rrgRuB6++c+XBZ4IvFvohfML0eAjdofn6ePnLWt+R/RNvNjmSb5y7rSIbJ9t+B7O1QOr7u+1GgZEexhG79o52I4rsrgyhUJOK4FbDGPnIkFYFeB2alijzbM1bAu9GR6BD4HBoqeW+DF7tUZs8GYtJsBX8rMnzuR3t8pM7RcGjY5IHQM9MM5WpHokJCFNSSzrvFgbK7CBFklOtipo1H1fwOuDuT3sCE3/ZTK5UgfKGdsb+vsvZub7KBNXfgru2webpl/rLcDJpn3eSDX/ZMGXVV8zskteQHtakra52bc2IeFaPiE1V+WeUB/LpIvRWG+Eh1VEgbUcjoVkaIBu6tQflW7US3uCGYan9Hw80MkwxAmqY1pogAJgzxsYbqdcNb8Xrra6LYFeMD8HXKdW9sXh7mzxDwwkzqjXCKPavWPT7ujicTRlJC6TfmZTdZUPh2mjvzUZI9ZPr50hkV0EAdERn57HwPGMlHiOCntPI/Jw3XmZXIOxChkyss5YFF5mWIzYOp5YxWBlWusNpnMeZCk2ncJmdXcAd6GzQ=="
-    ];
-  };
   users.extraUsers.eduardotenholder = {
     isNormalUser = true;
     extraGroups = ["afws"];
@@ -1207,6 +1249,18 @@ in
     };
   };
 
+  services.postfix.mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
+      @m-labs-intl.com intltunnel:
+      * :
+  '';
+  systemd.services.postfix-rebuild-sender-relay = {
+      description = "Postfix Rebuild Sender Dependent Transport Maps";
+      serviceConfig = {
+        ExecStart = "${pkgs.postfix}/sbin/postmap /var/lib/postfix/conf/sender_transport";
+      };
+      wantedBy = [ "multi-user.target" ];
+  };
+
   mailserver = {
     enable = true;
     localDnsResolver = false;  # conflicts with dnsmasq
@@ -1215,8 +1269,22 @@ in
     enablePop3 = true;
     enablePop3Ssl = true;
     certificateScheme = "acme-nginx";
-    policydSPFExtraConfig = "skip_addresses = 5.78.86.156,2a01:4ff:1f0:83de::1";
   } // (import /etc/nixos/secret/email_settings.nix);
+  services.postfix = {
+    config = {
+      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
+    };
+    masterConfig."intltunnel" = {
+      type = "unix";
+      command = "smtp";
+      args = [
+        "-o" "smtp_bind_address=10.47.3.1"
+        "-o" "inet_interfaces=10.47.3.1"
+        "-o" "inet_protocols=ipv4"
+       ];
+    };
+  };
+
   services.roundcube = {
     enable = true;
     hostName = "mail.m-labs.hk";

nixbld-etc-nixos/named/m-labs-intl.com

@@ -23,7 +23,6 @@ ns						A		94.190.212.123
 ns						AAAA	2001:470:18:390::2
 
 mail					A		5.78.86.156
-mail					AAAA	2a01:4ff:1f0:83de::1
 mail._domainkey			IN	TXT	"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJVPuhSGXghO7ib8Em/Se3jfCCIJK5g4zn5pGZ3/e0I0f+zGHMuvwpjkAKf6eSmo/AAXEaco28pDi3qE5xfV512AJsORCfPoPFyNhLsj/qtri6hc5KVSWW0Ja3MSFBINDCaX78c7PXPY+3jJJGpwSBDLjdxj9AQwtfiCVlH4qE/QIDAQAB"
 _dmarc					TXT		"v=DMARC1; p=none"